This event has ended. Visit the official site or create your own event on Sched.
Back To Schedule
Saturday, October 12 • 1:00pm - 3:00pm
RT-3022 Alternative C2 Frameworks Part 2 - Covenant

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.

In the age of EDR products, Red Teamers need to be able to customize everything on the fly - stock
Command and Control (C2) frameworks and agents quickly become insufficient. Why stop at simple
obfuscation or name changes for customization though? Red Teamers can leverage operational data to
track artifacts created on target, create callback hierarchies, and even map operations to MITRE
ATT&CK. In this workshop, we'll present two C2 frameworks designed with customizability and
collaboration in mind - Apfell and Covenant.
Students will navigate a series of labs to illustrate the advantages and use cases for when to use Apfell
and Covenant over other frameworks while in a simulated Active Directory enterprise environment. They
should expect to be able to install, customize, and leverage these frameworks within operational
environments when they get back to the office.

Workshop Outline (outline of teaching topics)
  • Intro to Covenant
  • Overview of lab scenario
  • Discuss install (but don't do it live)
  • Walk through lab, highlighting the following:
  • Changing something on the fly
  • Customized C2 traffic
  • Using modules (how it integrates with other tools people might use now, like powershell scripts or other .net programs)
  • How to add a new module
  • Lateral movement (and intro to smb c2)
  • Reporting (artifacts and otherwise)

avatar for Cody Thomas

Cody Thomas

n/a, SpecterOps
Cody Thomas is a red team operator and developer focusing on macOS and *nix devices. He created theinitial Mac and Linux ATT&CK matrices while he was working on the Adversary Emulation team atMITRE. Cody has spoken at a few conferences and works on his open source framework for macOS... Read More →
avatar for Ryan Cobb

Ryan Cobb

Consultant, SpecterOps
Ryan Cobb is an operator and red teamer at SpecterOps, who specializes in building offensive securitytoolsets. Ryan has contributed to several open source security projects, such as Empire and Invoke-Obfuscation, and is the author of PSAmsi, SharpSploit, and Covenant. Ryan has presented... Read More →

Saturday October 12, 2019 1:00pm - 3:00pm CDT
BONHAM 3-C | Expert 1 600 E Market St, San Antonio, TX Floor 3